At first glance the pcap looks like a mess of 33,247 packets but with a few clicks you can get wireshark to sort and organize all the data. The first thing I did was go to Statistics>Conversations, select the tcp tab, then sort by port to get a grasp of what is going on. I follow a few ftp, port 21, streams because they are in plaintext and you can see what files were downloaded. If you want to grab the actual data you have to find the corresponding ftp-data, port 20, stream. Right away I see something interesting, here is a list of actions from 192.168.245.3 (attacker) on 192.168.245.12 (victim):

RETR (downloaded):

favicon.ico

challenges.zip

RPWD.RTF

STOR (uploaded):

PwDump7.exe

sbd.exe

BFK.exe

MSINET.OCX

converter.dll

inetlog.txt

keylog.txt

needtosend.log

sclog.txt

USER:

administrator

PASS:

GMODEOWNZYOU

This is concerning because PwDump7.exe is a password hash dumper for windows and BFK.exe is a key logger!

Following that stream quickly reveals a remote cmd shell, probably via netcat. As I’m looking through this I want to get a timeline of events. Since I sorted all conversations by ports, it showed ftp packets before the remote shell and threw off the sequence of events. When I use filters on the whole pcap I see that the remote shell was established well before the ftp. Someone was working on the system before transferring files via ftp. Another way to ascertain the chronology is to look at the “tcp.stream eq ##” in the title bar of the individual tcp stream.

The attacker looked around the system, created a GMTMP directory in C:\Inetpub\ftproot then redirected commands in the favicon.ico in order to exfil the data by hiding it in plain sight. They looked around the filesystem before collecting a few files and then changed passwords for Administrator, John, and nonadmin. They used PwDump to grab hashes and started the keylogger.

I wanted to look at some the FTP files that were transferred so I went through the arduous task of filtering out streams until I found the ones that I wanted to save.